The RiskUtility Tradeoff for IP Address Truncation

1
The Risk-Utility Tradeoff for IP Address
Truncation

• 1st ACM Workshop on Network Data Anonymization
  (NDA 2008)
• Martin Burkhart, Daniela Brauckhoff, Martin May
  (ETH Zurich)
• Elisa Boschi (Hitachi Europe)

2
Motivation

• Sharing of traffic data is difficult due to
• Data protection legislation
• Security concerns
• Competitive advantage
• Anonymization Tools are available (e.g., FLAIM,
  AnonTool), yet properties of techniques are
  poorly understood
• Utility of anonymized data?
• Risk of privacy breach?
• Techniques that permute IP addresses are
  reversible
• Characteristic object sizes/frequencies,
  behavioral profiling, active ports, prefix
  structure
• Worst case actively inject crafted fingerprints
• Apply IP address truncation and evaluate the risk
  and utility dimensions

3
Effect of Truncation

• Lower risk Hosts are aggregated to subnets
• Lower utility Resolution of entities is reduced
• Quantifying the tradeoff How bad is it in
  numbers?

x 0
?
x truncated bits
Risk(x)
x 16
Sweet Spot
Utility(x)
x 32
4
Measuring Utility of Truncated Data

• Specific application anomaly detection
• Compare detection quality of scans and (D)DoS
  attacks in original and truncated data
• 4 IP-based metrics
• Unique address count
• Address entropy
• Internal and external
• 3 weeks of NetFlow data
• SWITCH network
• 43 billion flows

5
Measuring Detection Quality

• Ground truth Manual identification of
  scans/(D)DoS attacks
• Run a Kalman filter on metric timeseries
• Utility measured by AUC (area under the ROC curve)

Vary threshold
6
Utility of Truncated Data
Entropy EXT
Entropy INT
Counts EXT
Counts INT

• Counts degrade more quickly than entropy
• Internal metrics degrade more quickly than
  external metrics

7
Internal vs. External Prefixes

• Asymmetry in prefixes
• External
• Internal (AS 559)

Unique Count (log)
Prefix length (32-x)
8
Risk of Truncated Data

• Risk depends on attacker model
• Capabilities can do active fingerprinting, knows
  the set of original addresses (very strong)
• Goal deanonymization of IP addresses
• Estimate the average probability of correctly
  guessing original IP addresses
• Risk metric based on conditional entropy
  Bezzi07

9
Estimating Risk with Conditional Entropy

• Conditional entropy
• S set of original IP addresses
• R set of anonymized IP addresses
• H(Sr) measures the uncertainty about the
  original address, given an anonymized address r

10
Risk with Truncation

• Probability of correctly guessing
• Truncation of x bits 2x potential addresses
• But not all addresses are active
• Internal 10.5 (230,000 from 2 million)
• External 0.08 (3.4 million from 4.2 billion)
• Introduce A the fraction of active hosts
• Risk for external addresses is higher due to
  sparcity!

11
The Risk-Utility Tradeoff for Truncation
best tradeoff
12
Conclusions

• Quantitative evaluation of the risk-utility
  tradeoff in anonymization is needed
• Entropy metrics are much more resistant to
  truncation than count metrics
• Risk/utility degrade more quickly for internal
  addresses
• tolerable truncation depends on network size
• For detection of scans/(D)DoS attacks, it is
  actually possible to get a good tradeoff with
  entropy metrics

13
Thank You

• Questions?